Re: Requesting reviews of draft-vanrein-httpauth-sasl

Michiel Leenaars <michiel.ml@nlnet.nl> Thu, 14 May 2020 16:01 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E14863A0B62 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 May 2020 09:01:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.747
X-Spam-Level:
X-Spam-Status: No, score=-2.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnet.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tkEAdF03uNc7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 May 2020 09:01:38 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 800F53A0B42 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 14 May 2020 09:01:38 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jZGGM-0005N2-VP for ietf-http-wg-dist@listhub.w3.org; Thu, 14 May 2020 15:59:11 +0000
Resent-Date: Thu, 14 May 2020 15:59:10 +0000
Resent-Message-Id: <E1jZGGM-0005N2-VP@lyra.w3.org>
Received: from www-data by lyra.w3.org with local (Exim 4.92) (envelope-from <michiel.ml@nlnet.nl>) id 1jZGGK-0005MA-Ni for ietf-http-wg@listhub.w3.org; Thu, 14 May 2020 15:59:08 +0000
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <michiel.ml@nlnet.nl>) id 1jZGAO-0004uM-L6 for ietf-http-wg@listhub.w3.org; Thu, 14 May 2020 15:53:00 +0000
Received: from open.nlnet.nl ([185.49.140.12]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <michiel.ml@nlnet.nl>) id 1jZGAM-0004Rq-Kq for ietf-http-wg@w3.org; Thu, 14 May 2020 15:53:00 +0000
Received: from nlnet.nl (localhost [127.1.0.1]) by open.nlnet.nl (Postfix) with ESMTP id 534B0677A0 for <ietf-http-wg@w3.org>; Thu, 14 May 2020 17:52:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnet.nl; h= content-transfer-encoding:content-type:content-type:user-agent :references:in-reply-to:message-id:mime-version:date:date :subject:subject:from:from:received:received; s=gerrit; t= 1589471566; x=1591285967; bh=ap6FIFi2A0nB7httmr96iLbKBcBAGZfh8L0 /TbINDt8=; b=MmjoiIxAo+/yZ/aQICbBRP8Sd2K0obpdvf1ZlLJSiOeJHxx7GsC YJjnk++CeswJWKxWN81+qO6JsWbUe+OzQKDf5PQkemxt5eXRsZwgUV5K9iSuO+KL fV8XaM2g780J4cstWC7LWhjXp0tRBznYnJps7aOJ4F/PVTOWEb4bs+Xo=
X-Virus-Scanned: amavisd-new at nlnet.nl
Received: from open.nlnet.nl ([127.1.0.1]) by nlnet.nl (open.nlnet.nl [127.1.0.1]) (amavisd-new, port 10026) with ESMTP id emVs2gn7yV8y for <ietf-http-wg@w3.org>; Thu, 14 May 2020 17:52:46 +0200 (CEST)
Received: from localhost (unknown [IPv6:2001:984:2ab3:1:15d6:8754:8216:7431]) by open.nlnet.nl (Postfix) with ESMTPSA id 1079267798 for <ietf-http-wg@w3.org>; Thu, 14 May 2020 17:52:46 +0200 (CEST)
From: Michiel Leenaars <michiel.ml@nlnet.nl>
To: ietf-http-wg@w3.org
Date: Thu, 14 May 2020 17:52:45 +0200
MIME-Version: 1.0
Message-ID: <7fd383fb-1953-4f17-94ba-fb0995a6714d@nlnet.nl>
In-Reply-To: <3b29ffdf-54dc-4e36-f3c9-d224423b357b@gmail.com>
References: <B9974B38-6CC7-4979-B08C-ADA6EB22A66A@apple.com> <3b29ffdf-54dc-4e36-f3c9-d224423b357b@gmail.com>
User-Agent: Trojita
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=185.49.140.12; envelope-from=michiel.ml@nlnet.nl; helo=open.nlnet.nl
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jZGAM-0004Rq-Kq e6cf742ded08b6933b222659c841a994
X-caa-id: e6cb802ddf
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Requesting reviews of draft-vanrein-httpauth-sasl
Archived-At: <https://www.w3.org/mid/7fd383fb-1953-4f17-94ba-fb0995a6714d@nlnet.nl>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37618
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi James,

>> This means that a secure transport layer must be used, like 
>> TLS.  The termination of such a secure layer MUST also 
>> terminate any ongoing SASL handshakes.
>
> Isn't this incompatible with use cases where TLS termination is 
> separated from the processing of the HTTP request such is common 
> in CDNs, or where a trusted proxy is involved?

arguably, resources fetched from a public CDN are (or should be) 
exclusively static assets, which of course can be used in an authenticated 
session but are not part of it. TLS can be provided for integrity, but not 
for confidentiality.

Since a CDN is essentially a cache with man-in-the-middle capabilities 
allowing to observe all the traffic that passes by, it cannot be end-to-end 
secure in the actual sense of the word and should not be used as such. So I 
do not see an incompatibility...

Best,
Michiel Leenaars
NLnet Foundation